Share via

AD Replication Error

Genesis Support 301 Reputation points
2022-01-05T15:15:30.787+00:00

Hi All,

Happy New Year!

I have 2 x Windows 2019 Domain Controllers servers that have the AD and DNS roles installed. The names are BDC01 and BDC02.
Recently I'm getting DFS Replication errors on BDC02. Here is a copy of the event logs from BDC02.

====================================

*Log Name: DFS Replication
Source: DFSR
Date: 05/01/2022 14:15:45
Event ID: 5002
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: BDC02.gclo.local
Description:
The DFS Replication service encountered an error communicating with partner BDC01 for replication group Domain System Volume.

Partner DNS address: BDC01.gclo.local

Optional data if available:
Partner WINS Address: BDC01
Partner IP Address: 172.16.x.x

The service will retry the connection periodically.

Additional Information:
Error: 1825 (A security package specific error occurred.)
Connection ID: 3C4F9620-3573-4564-A461-04E160A25DF3
Replication Group ID: 41D066D9-BE75-4692-850E-51FB8C7F7778
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="DFSR" />
<EventID Qualifiers="49152">5002</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2022-01-05T14:15:45.197451600Z" />
<EventRecordID>293</EventRecordID>
<Channel>DFS Replication</Channel>
<Computer>BDC02.gclo.local</Computer>
<Security />
</System>
<EventData>
<Data>3C4F9620-3573-4564-A461-04E160A25DF3</Data>
<Data>BDC01</Data>
<Data>Domain System Volume</Data>
<Data>BDC01.gclo.local</Data>
<Data>BDC01</Data>
<Data>172.16.x.x</Data>
<Data>1825</Data>
<Data>A security package specific error occurred.</Data>
<Data>41D066D9-BE75-4692-850E-51FB8C7F7778</Data>
</EventData>
</Event>*

===============================================

When I go to the AD Sites and Services and try to replicate configuration from the selected DC, I then get this error:

162565-image.png

162480-image.png

Can anyone tell me where and what I should be looking into in order to get this to replicate again and to stop the errors from appearing in BDC02 event logs?

Kind Regards
GMSS

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,268 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,983 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426.2K Reputation points MVP
    2022-01-05T15:21:12.303+00:00

    I'd check the domain controllers both have own static ip address listed for DNS plus loopback (127.0.0.1) and no others such as router or public DNS. Might also try a non authoritative sync
    https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

    another option is to move roles off, demote, reboot, promo again the problematic one.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

  2. Thameur-BOURBITA 32,596 Reputation points
    2022-01-05T16:06:25.673+00:00

    Hi,

    It seems a DNS issue.
    Each domain controller has a ntds alias used for active directory replication
    Start by checking if BDC1 is able to resolve the alias in NTDS settings of BDC2 and BDC2 is able to resolve the alias in NTDS settings of BDC1:

    162583-image.png

    Please don't forget to mark helpful reply as answer

    Please don't forget to mark helpful reply as answer

    0 comments
  3. Limitless Technology 39,421 Reputation points
    2022-01-10T08:34:00.11+00:00

    Hello

    Thank you for your question and reaching out.

    I can understand you are facing issue with AD replication.

    From the Event logs its seems issue with communication between two DCs
    I will suggest you to follow below steps toward to resolve the issue.

    1. Disable any Antivirus program or Windows firewall you may have for temporary purpose.
    2. Download Active Directory Replication Status Tool which should give the result of your AD replication state.
      https://www.microsoft.com/en-in/download/details.aspx?id=30005
    3. Please verify on each DC that Preferred DNS ip should be of your Primary DC holding FSMO role.
    4. Please verify Date and Time are sync.

    For the error " Target Principal Name is incorrect " It may happened due to KCC password expired in that case you can reset using below steps.
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/replication-error-2146893022

    -------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments
  4. Genesis Support 301 Reputation points
    2022-01-10T09:19:20.587+00:00

    Hi Guys,

    Apologies for the delay in reply. What I decided to do over the weekend was to install a 3rd DC and after installing and promoting it the replication between DC1 and DC2 started to work again. Not sure why introducing the 3rd DC would fix the replication issue.

    As of now and from what I can tell all 3 DC's are now replicating with each other.

    Could it be that introducing the 3 DC would have reset the KCC for DC1 and DC2?

    Very strange indeed...

    Kind regards
    GMSS

    0 comments
  5. Dave Patrick 426.2K Reputation points MVP
    2022-01-10T13:43:15.283+00:00

    Could it be that introducing the 3 DC would have reset the KCC for DC1 and DC2?

    Unlikely, but glad to hear of success.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments